The ERMAC Android banking virus has been updated to version 2.0, increasing the number of apps targeted from 378 to 467, allowing attackers to steal account passwords and crypto wallets from a much greater number of apps.
Threatfabric researchers found ERMAC in July 2021, notably it is based on the well-known banking trojan Cerberus. Cerberus' source code was released in September 2020 on underground hacking forums after its operators failed an auction. The trojan's goal is to send stolen login credentials to threat actors, who then use them to gain access to other people's banking and cryptocurrency accounts and commit financial or other crimes.
ERMAC is currently available for subscription to members of darknet sites for $5,000 a month, that is a $2k increase over the first release's price, indicating the boost in features and popularity. A bogus Bolt Food application targeting the Polish market is the first malware campaign to use the new ERMAC 2.0 virus.
According to ESET researchers, the threat actors disseminated the Android software by impersonating a reputable European food delivery business on the "bolt-food[.]site" website. This phony website is still active.
Phishing emails, fraudulent social media posts, smishing, malvertising, and other methods are likely to lead users to the false site. If users download the program, they will be confronted with a request for complete ownership of private data.
Following ESET's early discovery, Cyble researchers examined the malware. ERMAC determines whether programs are installed on the host device before sending the data to the C2 server. The answer contains encrypted HTML injection modules which match the application list, which the virus decrypts and saves as "setting.xml" in the Shared Preference file. When the victim tries to run the real program, the injection operation takes place, and a phishing page is displayed on top of the original one. The credentials are forwarded to the same C2 that is responsible for the injections.
The following commands are supported by ERMAC 2.0:
- downloadingInjections — sends the application list for injections to be downloaded.
- logs — this command sends the injection logs to the server.
- checkAP — check the status of the application and transmit it to the server.
- registration – sends information about the device.
- updateBotParams — sends the bot parameters that have been updated.
- downloadInjection — this function is used to download the phishing HTML page.
EMAC 2.0 targets financial apps from all over the world, making it appropriate for use in a wide range of nations. A large number of apps supported makes this a dangerous piece of malware, but it's worth mentioning that it would have issues in Android versions 11 and 12, thanks to extra limits implemented by Google to prevent misuse of the Accessibility Service.